Support for SSLv3 to be Discontinued in Response to POODLE Vulnerability

Edward Snowden's disclosures provided proof that some of the Internet eavesdropping attacks long theorized in the security community were likely to be already widely used by governments worldwide. This led to a significantly increased level of interest in finding and closing vulnerabilities in the Internet's encryption infrastructure. This Google blog post discloses the most recent discovery: POODLE. It's best to read the Google Researchers' paper for full details but the essence of the vulnerability is as follows:

Very old versions of the SSL protocol (SSL 3.0 aka SSLv3) were found some time ago to have weaknesses that could be exploited by someone with the capability to intercept and modify traffic between client and server (details in CVE-2014-3566). Typically this "someone" would be a government agency but it could be an ISP or in theory even your local coffee shop if you use their WiFi hotspot.

Suspected or known weaknesses have existed in SSLv3 for years and newer protocols (TLS 1.0 then TLS 1.1 and 1.2) were developed with the intention that they would supersede it. However because it takes years to roll out new encryption protocols across all the computers, phones and servers on the Internet were given a mechanism that allows client and server to negotiate which protocol to use. The idea being that an older client would select SSLv3 while a newer one would select TLS 1.x. This turns out to lead to a way to exploit the POODLE vulnerability even when using modern TLS1.x-capable systems because although today (more than 10 years later) there is no good reason to use SSLv3, the code that allows protocol negotiation is still present in most browsers and servers. An attacker with network level access can modify packets as they cross the Internet and thereby trick that negotiation mechanism into selecting SSLv3. Once that has been done the same attacker can capture the encrypted data and use the weaknesses in SSLv3 encryption to break it, giving them the original plain text.

The upshot is that this long-unneeded capability to fall back to the SSLv3 protocol exposes the potential to allow widespread eavesdropping on the Internet for those who are able to gain access to the network itself. The obvious and quickest fix is to discontinue all use of SSLv3. Accordingly since last night NuevaSync's servers no longer will provide SSLv3 support.

All computers, web browsers and phones made in the last 10 years will be unaffected by this change. There is a very small chance that extremely old devices that only have SSLv3 support are still in use. There is also a theoretical possibility of an IMAP server belonging to one of our users does not support TLS. We think it is highly unlikely that discontinuing support for SSLv3 will have any affect on any of our users but don't hesitate to contact the support team (via the support page in our Control Panel site) if you think it is possible you're seeing an SSL-related problem especially if it was first seen today.

iOS8 Update? New iPhone 6? No problem: the newest iOS version and iPhones are fully supported at NuevaSync

Apple's iOS8 update has been rolling out to the world's iPhones and iPads over the past few days. In addition, those who pre-ordered the new iPhone 6 devices have begun to see them delivered. Understandably for such a large scale update, we've had some users ask if there are any known issues with both iOS8 and the new iPhone 6 and iPhone 6 plus. The good news is that there are no known or reported issues. We have though seen a few reports of devices failing to enable push service after updating from iOS7. In cases where this has happened, a second reboot (one more than the reboot done as part of the update) will get the device back on track. We don't know why this happens but it has been a fairly commonly reported syndrome with some of the previous iOS updates. So remember: If email or calendar updates are not pushing after an iOS update, just restart your phone and all should be well. Sync On!

The recent news about a bug present in certain versions of the OpenSSL network encryption project has for good reasons caused great concern in the security community. Officially named CVE-2014-0160 but more popularly known as the Heartbleed Bug, it allows an unauthenticated attacker to read portions of server process memory. The ability to read arbitrary memory locations in turn allows an attacker to potentially access data from an encrypted connection once it has been decrypted inside the server process. In addition, an attacker may be able to read the private key for the server's certificate because the private key is loaded into server memory. Possession of this key can allow decryption of SSL traffic captured by eavesdropping, for example on a WiFi network. This is all really bad news.

The good news for us, and NuevaSync users is that we're unaffected by this bug. This is because although we do use OpenSSL, we do not use the vulnerable versions of the OpenSSL library (and haven't in the past either). The absence of the Heartbleed vulnerability in our services has been verified both by an audit of source code and running binaries, and by testing against the various SSL endpoints we expose, just to be extra sure (there have been cases reported where a "non-vulnerable" version of OpenSSL had in fact had the bug "back-ported" into the code, so a version check alone is not sufficient).

Google has made a sudden change to their Contacts API service which invalidates many of the existing OAuth tokens issued for synchronization by NuevaSync users. Affected users need to request a fresh token through the NuevaSync control panel in order to restore normal sync functionality.

When logged into the NuevaSync site, if you see a red ‘X’ as the Google Contacts’ status, your account is almost certainly affected.

With the release of Windows 8, Surface, and the rest of the new goodies from Microsoft, we wanted to point everyone to our wiki page on how to configure your new devices--be it desktop, tablet, ultrabook, or laptop--to start syncing with NuevaSync.

As the retail launch of Windows 8 nears, it is a good time to highlight our support for its all-new mail, calendar, and contacts applications.

All the new applications are supported on the desktop installation of Windows 8 Professional as well as mobile-oriented platforms like tablets. Yes, that means you can now start using your NuevaSync account to synchronize your contacts and calendar—and receive push e-mail—on your desktop and your laptop in addition to your phone or tablet.

It is unbelievably handy to be certain that your calendar and contacts are in sync across any and all the computers you are using, and that any changes you make will reach your phone (and vice versa, of course). Try it and you’ll like it, as the saying goes.

The 15-second description for getting started is to open the Mail app, go to Settings, and then Add an account. Choose an Outlook-style account and follow the prompts. A few seconds later you’ll be syncing.

By default in 37Signals Highrise, new contacts are visible to everyone in the Highrise domain. Today we added the option for you to choose whether you’d like to use the default (‘Everyone’) or make new contacts visible just to you (‘Owner’).

That is an important setting when many people share the Highrise domain and you don’t necessarily want to have every contact you add immediately added to their phones as well.

The setting is very simple to change. Click ‘setup’ next Highrise on the status page, and then choose ‘Advanced Settings.’ (You can also just click those links.)

If you have any questions or suggestions about the feature, contact us.

Confirming a story industry news site Engadget broke last year, a user sent us this screen shot from their RIM PlayBook after installing the recent 2.0 software update. PlayBook 2.0 adds email support, including Exchange sync, but apparently doesn't work with RIM's in-house (BES-based) sync service:

Our user-reporter notes that his PayBook 2.0 works well with NuevaSync -- he's using our service to get his Google Calendar synced with the tablet.

Microsoft's recent update to Windows Phone 7 (at first called "Mango" but later launched as Windows Phone 7.5, without the air-quotes) brings some significant and welcome enhancements to its sync capabilities. Showing these off in a blog post poses some challenges because there is no screen-capture facility in WP7 but I was able to use a tool available from Canon to get capture some images from my HD7:

The most eagerly awaited change is support for multiple calendars. Windows Phone 7 had a concept of multiple calendars, but only synced one calendar per server. Windows Phone 7.5 removes that restriction with color-coded calendars similar to the iPhone's:

In addition to multiple calendars, tasks/todo items are now supported and displayed in the calendar app:

The email app has also been subject to some re-work. It now features a threaded view that for my tastes is superior to that of the iPhone. For example messages sent by you are included in the thread, and it is easier to see multiple threads at a glance because they're displayed in the main inbox view rather than when opened individually.

Apple's iOS5 which became available for download today includes several major sync enhancements. The most significant is that the email app is now able to process message delete and move operations without a live connection to the server, sending the requests to the server later once its connection is restored. This feature will make subway riders everywhere happy. But probably the most visible is the addition of sync for tasks (which Apple calls Reminders):

The Reminders app is simple but effective. It has task due dates (with a time of day), the notes field and a task priority setting.

Another new feature that we have support for in NuevaSync is the ability to create and rename folders on the device. In the email app if you click the "Edit" button on the folder list view then click "New Mailbox" this screen appears, allowing the creation of a new folder on the server:

Similarly, the Calendar app allows the creation of new calendars, which we have support for in our Google Calendar data source. Just click "Add Calendar..." :

At present NuevaSync has folder creation and rename enabled for GMail and IMAP Email, for Google Calendar and also Google Tasks (beta test feature). Although the device allows the user to delete folders, we're not allowing folder delete operations to be executed for safety reasons. The potential to inadvertently delete an entire calendar or email folder with a slip of the thumb scares us. Here's a screen shot from the Google side after creating a new calendar and a new task list on the iPhone:

Finally, the iOS5 email app adds support for message "flags". This allows you to mark messages as requiring attention, or being otherwise notable, on the device or server. Click "Mark" in the header area in a message to access this feature. The flag state is synced just like read/un-read status. GMail represents the message flag with a star. Flags look like this:

Today we are introducing a great new feature for owners of Nokia, Windows Phone 7, and
webOS (HP Touchpad)
devices.

Many people like to organize their events into separate calendars. One for work, one for family, one for sports, etc. It is a handy way to keep everything in its place. However, many phones don’t support synchronizing more than one calendar. So that all of your events will be available at your fingertips, no matter what calendar they are in, for these devices NuevaSync has always automatically merged your calendars together as they’re synchronized to your phone. While this makes sure that all your important information is available, in the past it hasn’t always been easy to tell which event belongs to which calendar, or to add events into the calendar that you want.

NuevaSync has created a solution with a new feature that we call ‘@Cal’. When syncing an event to the device, we place the calendar name into the ‘Location’ field, prepended with an ‘@’—for example, ‘@Work’. Since the location is commonly used for real information, we never overwrite any real value that may be there. We simply add the calendar name to it, separated by a comma. For example, ‘@Work, Jim’s Office’.

This works just as well for events created from your phone. You can add—and even move—events between calendars simply by setting the calendar name in the location. If you have a real location to put in too, simply add it after the calendar name and it will be synced as always. And don’t worry, the calendar name will not be included in the location field at Google, only the real value.

Typing the calendar name is usually easy, but some calendars have long names that would be a chore to type accurately on a phone's keyboard. For those cases, you can use the initials of the calendar instead. For example, if you have a calendar called ‘Jamie’s Soccer Games’, instead of typing the full name, you can enter the much shorter and easier ‘@jsg’—e.g. ‘@jsg, Zink Field’. To keep everything consistent, we will sync the entry back to your device a few moments later with the unabbreviated calendar name filled in, plus whatever real location you specified: ‘@Jamie’s Soccer Games, Zink Field’.

@Cal is so useful that we’ve enabled it by default for all our users, but it can be disabled if you choose. For more information, visit our @Cal wiki page, which has complete details on the feature.

Users of other phones may be wondering how we support multiple calendars for their device. Apple iPhones, iPads, and iPods have native multi-calendar support which we take full advantage of when syncing. For Windows Mobile and other phones which support event categories, we offer a category mapping feature which works similarly to @Cal, identifying the calendar for each event, and allowing new events to be inserted and moved between calendars.

We hope you enjoy this new feature. If you have any questions, or encountering any problems, contact NuevaSync support or talk about it in the forums.

In our four-year corporate history, the NuevaSync team has worked exclusively on our server-side software, so we’re proud to announce our first venture into client coding: the NuevaSync
Add-on for Mozilla Thunderbird.

The Add-on
provides real-time sync
status monitoring in the Thunderbird status bar. It is a handy way to tell
at a glance whether your device is syncing properly—something that is
particularly useful before you leave the office and take it on the road
with you. More detailed information, such as the last time a message was pushed
to your phone, is also available in a separate status window.

For first time NuevaSync users, the Add-on
offers a quick and reliable way to create your NuevaSync
Premium trial account, fully set up in only a few clicks. It is so
simple and easy because it uses the same email settings as Thunderbird to
pre-configure the details for your new NuevaSync account.

Under the covers, the Add-on makes use of a new facility in the NuevaSync cloud service: remotely accessible
device status. It has been implemented with a secure token authentication and
access control mechanism that is designed to provide the maximum protection for
our users’ information. We share the Mozilla community’s interest in security and privacy, so we've made available information on the security of the new system. The
capability to present sync status securely to remote clients is a great new
feature in itself, and we plan on using it in other ways in the future.

The NuevaSync
Add-on for Mozilla Thunderbird is available to try now, but since it is still undergoing Mozilla’s full review process, you need to download the XPI file from
this page at Mozilla.
Save the file, then install it in Thunderbird using the “Install” button under
the “Tools\Add-ons” menu entry.

You've probably heard that the Internet has recently run out of unused addresses. There are some goodpages explaining the full history, but the current IPv4 address space exhaustion was foreseen long ago. I was present at Scott Bradner's initial presentation to the November 1993 IETF meeting and as I recall at the time the concern was that Microsoft's new consumer desktop Operating System (Windows95) would include Internet networking. It was thought that this alone could use up all the remaining addresses within a few years. It turned out that Network Address Translation (NAT) was subsequently widely deployed, which delayed the process by at least decade, but finally in 2011 the address space is all used up. The solution, developed under the IETF working groups established as a result of Scott's talk is IPv6. It includes support for a much larger address space. So large that there is no practical possibility of running out of addresses (ever). IPv6 has been available in most operating systems, routers and servers for many years but unfortunately has for the most part not been used. The reason for this lack of adoption is that ISPs have not shown much interest in making IPv6 available. This makes sense since they have plenty of addresses themselves! But with all the IPv4 addresses now used up, the time has come to take action:

ISOC's World IPv6 Day

The Internet Society has organized World IPv6 Day in conjunction with a number of large web properties and network operators. NuevaSync has signed up as an active participant.
This means that on June 8 our main sync service "endpoint", and all our
web site facilities will be accessible using IPv6. This is a little different, and more ambitious than simply being "IPv6-reachable" with a special host name. It means that mobile devices and
web browsers accessing our services will automatically select
IPv6 to communicate with our servers, if it's available on that day. Of course if a device does not have IPv6 connectivity it will use regular IPv4 as usual–it'll still work as before. If there are no significant problems discovered on "World Day", the plan is to leave our IPv6 support in place on an ongoing basis.

Prior to June 8 we have IPv6 available using the host name: ipv6.nuevasync.comOur web site, including the control panel is IPv6 accessible : http://ipv6.nuevasync.com/Devices can be configured to sync to this server: ipv6.nuevasync.com(but please be sure to read the warnings below before you configure a device to sync with this server).

Can you use IPv6?

If you'd like to try IPv6 the first task is to check for connectivity from your computer and mobile devices. We've found this test site be the best way to do that. Most Windows 7 computers will have IPv6 thanks to automatic tunneling (which works even if your ISP does not directly offer IPv6 service). However for mobile devices the picture is somewhat patchy. First, we have yet to find a local mobile network provider here in the USA offering IPv6 (although there is a rumor that Verizon has it on their LTE service and T-Mobile has a beta test program underway). So our testing was done using WiFi. None of the devices we tested supported automatic tunneling so you will need "real" IPv6 on your network. Since our ISP at the office does not yet offer IPv6 (boo, hiss...) the NuevaSync HQ is using Hurricane Electric's free IPv6 Tunnel Broker service (which has worked well for demos and testing). Second, not all devices have fully functional IPv6 support. For example here's the test result for a Samsung Android 2.2 phone. It has IPv6 support, but for some reason does not perform the necessary AAAA record DNS lookups (Another Android phone from HTC tested ok):

However, Apple device owners are in great shape. All our iOS4 iPhones, iPads and iPod touches pass the test:

How to test IPv6 with NuevaSync

The web site http://ipv6.nuevasync.com is only reachable using IPv6 so if you can load the site, that means your browser can use IPv6.To check to see if a device is using IPv6 for its sync connections just look at its sync scope page on our control panel site. You should see the IPv6 address format with ":' characters as shown in the screen shot below:

A Warning for IPv6 Testers

There is one issue to beware of when testing sync using the server name ipv6.nuevasync.com (this won't be a problem when the main www.nuevasync.com host name is IPv6-enabled). Don't configure one device to sync with both ipv6.nuevasync.com and www.nuevasync.com at the same time. This will typically give strange (and not good) results because the device sends the same "unique" id to both servers. In reality the two host names end up at the same cluster of sync servers and as a result will not function properly (the split-personalities of the device will fight, continually triggering resyncs in each other). To avoid this pitfall just turn off one sync account on the device, or use two different NuevaSync accounts.

If so then you'll love this new feature: messages created by replying and forwarding on the device can now have the "correct" sender address. Just to be clear – this feature applies to the common situation where email sent to two or more addresses is delivered into the same mailbox – it won't help you sync two separate mailboxes (you'll still need two accounts to do that).

Let's say you use these email addresses: john@smithfamily.org and j.smith@seriousbusiness.com. Until now, you had to pick one address to be used as the sender for all messages composed on your phone. Not great if you're trying to keep your personal and business email identities separate. But now, when you reply to a message or forward a message on the device, the new message gets the sender address that matches the original. Note that:

Your NuevaSync account must be configured with the list of email addresses you use (see below for how to do this).

The feature doesn't work with all devices, but it does work with the most popular ones : iPhone, iPad, Windows Mobile, Windows Phone 7, Nokia S60 Series.

The sender address for entirely new messages composed on the device (not replies, not forwarding) can't be overridden. Your default sender address is always used. If have an Apple device, you can send an email to yourself (using the address you want to send to) then forward that message to the intended recipients as a workaround.

The email addresses you use must be configured in the NuevaSync Control Panel. If you haven't done that, the feature won't work. Here's how to configure:

The next page looks like the screen shot below. Enter all the email addresses you're using with the mailbox associated with your NuevaSync account.

Click save and you're ready to test. We recommend sending a message to yourself at each of the addresses. Reply to each of those messages on your device then check with your desktop email application to verify that the sender addresses on the reply messages are correct.

GMail and Google Apps Email users should note that the "extra" addresses will need to be added as valid sender addresses to the Google account. If this isn't done Google's SMTP servers will replace whatever sender address our server uses with the Google account's primary email address.

Celebrating the Verizon iPhone with a $10 discount for premium service

Here at the NuevaSync HQ we're celebrating the arrival of our first Verizon iPhone. Verizon runs a great service and the iPhone's a wonderful device but its arrival on the big red network has special significance for us because we're in a part of the world (Montana) where until today the iPhone was a rare curiosity. That's because the former exclusive carrier in the USA for the iPhone does not sell service here. In fact a cottage industry has grown up in these parts "importing", unlocking and re-SIM'ing iPhones for use here. Unfortunately the user experience with a black-market iPhone isn't great because the local GSM carrier is 2G-only.

We had 18" of new powder overnight but the awesome Quinn from FedEx battled through the blizzard, his van laden with iPhones and by mid-morning I was enjoying the 3G iPhone goodness that before today we had to drive 300 miles to get:

To mark this important time in iPhone history we're offering a $10 discount off the regular $30 one year subscription price of our premium service level. The discount is only available to new users with a Verizon iPhone. To claim your discount just create a new account then visit this page using your iPhone's browser: https://www.nuevasync.com/PublicSite/user/promotions/verizon-iphone.htm